How to Use Passwords (& Passphrases) and Not be Hacked

Learn how to use passwords (and passphrases) because a single weak password can be your undoing.

Here are the best tips for how to use passwords and passphrases.

Why You Should Always Use Different Passphrases

Although inconvenient, you should never use the same passphrase for different accounts, no matter how unimportant you may think any single account. Use a unique passphrase for each and every one of your accounts. Otherwise, the security of all your accounts may only be as good as your weakest passphrase.

Top Tip – We’ll say it again, don’t repeat passphrases. Use a different passphrase for each and every account you have.

Formulas and Patterns are Bad Too

Similar advice is do not use a formula or pattern for generating passphrases. If an attacker discovers that you always use the same formula or pattern to generate otherwise “unique” passphrases, he or she will soon be using it to breach your accounts.

An example of such a pattern or formula would be using the first and second letter of a website's name (with the second capitalized) and then adding 231456 to the end. Using this formula for the website www.example.com would make your password eX231456. While this password might look strong, once the pattern or formula is discovered, it becomes useless and leads to only more account breaches.

Hackers similarly exploit the fact that many people repeat the same passphrase or only alter them slightly each time. Similarly, professional snoops are also trained to crack the easy passwords first because many people use the same or similar passphrases for all of their accounts. In addition, your employer or colleagues may have access to some of your passphrases at work; if you use this same passphrase (or pattern) for your personal accounts, you will be exposing these other accounts too.

The Domino Effect of a Single Bad Passphrase

Such knock-on security risks can also arise when a hacker gains access to a non-sensitive account and then uses the information he or she finds to correctly guess or crack your more sensitive accounts. As already mentioned, once a single one of your accounts is compromised, the hacker may be able to find confirmation emails or other details helping them breach other accounts. For example, if a hacker has obtained access to one of your accounts, he or she may be able to obtain your passphrases for other accounts linked to it by carrying out forgotten password resets.

Even if the breached account doesn't contain password confirmation messages for other accounts, it may still contain plenty of personal information enabling the attacker to answer ‘Forgot your password?’ security questions or to gain access a number of other ways.

In cases where the password reset is protected by additional security questions, the hacker could try answering them using little more information than your birthdate, your mother’s maiden name or the name of your pet. Perhaps the hacker has gleaned this information from the initially hacked account or even posts you or a friend made to social media.

And of course, the first thing a hacker will do after compromising your account is change the password, locking you out. And it is no easy task to reclaim an account once it has been hijacked.

It is because a single account breach can quickly lead to others that you need to follow and take seriously our passphrase guidance here. Despite all the sophisticated hacking methods available, the simple breaching of weak passwords remains by far and away the biggest threat to your security. Just ask the celebrities victimized by the Frappening. The good news is that this risk is easily addressed.

How to Use Passwords (What Makes a Good Passphrase?)

Rather than lecture you about passwords and passphrases let's simply recap the best practices you should adopt.

Simply stated: you must construct strong passphrases that are difficult for hackers to crack. This is one of the most fundamental aspects of your Internet security. Your accounts, information, devices and apps are only as secure as the passphrases you use to protect them.

This means using longer, more complicated and even random passphrases. As general rules:

Passphrases should be at least 8 characters long, but the longer the better.

Passphrases should use a mix of at least 3 character types (uppercase letters, lowercase letters and numbers). Ideally, you should also use symbols (! – +), if supported.

Passphrases should not contain your name, username, birth date, license plate number, phone number, favorite movie or any other personal information, including similar details for your spouse, partner or children.

Passphrases should not contain any nouns (the names of persons, places or things).

Ideally, passphrases should not contain words found in any dictionary of any language.

The last point is often ignored but important as it further protects your accounts from brute force dictionary attacks.

More About: Brute Force Dictionary Attacks – A brute force dictionary attack is a method that hackers use to crack passwords by applying all possible words found in dictionaries (and not only English-language dictionaries). Hackers use apps to enter every word as well as combinations and variants of words, to gain entry into your accounts. This hacking method can be surprisingly simple and fast.

When generating passphrases, pick something random and even ridiculous. If you follow these guidelines, it will simply take too long for hackers to crack your passphrases and they will move on to an easier victim.

How to Use Password Apps to Manage Your Passphrases

While it may be a pain to keep track of many complicated passphrases, there are plenty of tools to help you quickly generate strong ones and to keep track of them. Many apps even help you automatically and seamlessly log in to your stored accounts.

Dashlane (free & premium versions available) is a popular and reliable premium passphrase manager app. Dashlane even lets you change all of your passwords with a single click. This can be a lifesaver, especially in the face of large scale data breaches. See our in-depth Dashlane review.

LastPass(free & premium versions available) is a handy passphrase management tool for all your online accounts. With LastPass, you set up one master passphrase and it keeps and manages all of your account passphrases. LastPass helps you construct strong passphrases with an easy wizard that automatically appears when you are creating a new passphrase. The underlying data is kept on LastPass’ encrypted servers – hence, using this service requires a degree of trust in the provider and confidence that they won’t be a victim of a widespread hack – but storing your data in the cloud this way also allows you to access your passphrases remotely from any device connected to the Internet. See our detailed Lastpass review.

How to Use Passwords Wrap-Up

With the easy-to-use and free (or inexpensive) password manager apps now available, there is no excuse for bad password practices.

Do yourself a favor and start using one as soon as possible (now!) to keep safe online and prevent yourself from being hacked.

[…] and apps? On average, it is estimated that you will have 26 online accounts. If you are following recommended passphrase practices, that means 26 passwords to keep track of. And that’s only an average user; power users will have […]